Spam Levels Creep Back Up 2 Weeks After McColo Shutdown

By Brian Prince |
Posted 2008-11-25

Spam levels appear to be rising again after a steep decline.

According to researchers at MessageLabs, now part of Symantec, spam volumes
have doubled since last week. Spam levels dropped off dramatically with the shutdown
of Web hosting company McColo on Nov. 11. Though the firm briefly gained new
life the weekend of Nov. 15, it was quickly shut down again, and spam at first remained
at relatively low levels.

McColo played host to a number
of major botnets, including Rustock and Asprox. According to Matt Sergeant,
senior anti-spam technologist at MessageLabs, the lag between the initial
decline and the subsequent rise was due to the time it took for the botnet
owners to find a new ISP and bandwidth provider.

"The Asprox and Rustock botnets are back with a vengeance after having
found new command and control," Sergeant said in an e-mail. "Cutwail
never went away and it seems its owners have used the opportunity to increase
output. Mega-D is also on the rise again," he said. "Srizbi, having
once been responsible for 50 percent of all spam, is now completely defunct.
Without this botnet, spam levels won't return to what they had been."

In a blog post, Symantec
Security Response noted that in addition to overall spam volumes being up,
the percentage of spam messages containing the text/HTML content type mime part
have jumped to 55 percent of all spam. Since the McColo takedown, that
percentage has been around 34 percent; prior to the shutdown it was more than
55 percent. This change indicates that a return to normal spam activity could
be in the works, according to the blog.

"When we took a closer look at the spam contained in the spikes, it was
revealed that there was an increased use of HTML," the blog post said.
"The spam messages were typical 'Canadian Pharmacy' spam messages that
were using short HTML messages with a varying set of domains in the URLs. The
spam messages were being sent from compromised hosts around the globe."

From an enterprise security perspective, the same threat of spam exists as always
did, Sergeant said.

"Even while levels were down, organizations
should have maintained the same levels of vigilance as they had when spam
was at its highest," he said. "Organizations should continue to keep
spam filters and anti-virus engines updated as always."